Overview

overview

10

Static

static

10

317126c33f...b5.exe

windows7-x64

9

317126c33f...b5.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    18/04/2024, 20:23

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    317126c33f32ea5a9b5d87bacb93c8b122d34852cc9f6f6ef1ae91ad12a2d9b5.exe

  • Size

    97KB

  • MD5

    40e294ed7c42f1a8172a52442dce2af4

  • SHA1

    f8f7b8910558065b017070cb8bd30f69e6c03ce8

  • SHA256

    317126c33f32ea5a9b5d87bacb93c8b122d34852cc9f6f6ef1ae91ad12a2d9b5

  • SHA512

    5c38469d5ac74e1c2d9bf5f48adca4a4d81aa0315bc4a8fe35b3770b8f5b18e139cb077f92869e2b37cd742a05ae4d359b8023cd5f7d9c7ca8420ed2e487cb32

  • SSDEEP

    3072:W6Ccn27mUC7AdYzrV+Dljy/32ubwZZqJ:W6Ccn2xCkdYzrVolu/J0ZZ

Score
9/10
persistenceupx

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 13 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\317126c33f32ea5a9b5d87bacb93c8b122d34852cc9f6f6ef1ae91ad12a2d9b5.exe
    "C:\Users\Admin\AppData\Local\Temp\317126c33f32ea5a9b5d87bacb93c8b122d34852cc9f6f6ef1ae91ad12a2d9b5.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2936
    • C:\Users\Admin\AppData\Local\Temp\317126c33f32ea5a9b5d87bacb93c8b122d34852cc9f6f6ef1ae91ad12a2d9b5.exe
      "C:\Users\Admin\AppData\Local\Temp\317126c33f32ea5a9b5d87bacb93c8b122d34852cc9f6f6ef1ae91ad12a2d9b5.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GSWTH.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2464
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe" /f
          4⤵
          • Adds Run key to start application
          PID:2884
      • C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
        "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2900
        • C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
          "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1628
        • C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
          "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
          4⤵
          • Executes dropped EXE
          PID:1164

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\GSWTH.bat
          Filesize

          157B

          MD5

          f6a90c20834f271a907a4e2bc28184c2

          SHA1

          36c9d1602b74f622346fbb22693597d7889df48d

          SHA256

          73f29cd953eee40cea4de67842556ffd96efe8094a6a9b70f33a35df2582febd

          SHA512

          39cabae19fe1faa37455e4bd242c868be60d6252b07f01224b3f7501c3cf734e503300b840d83381a452707cab6df2f95f920655884be56d4024676b26943804

          Download Submit

        • \Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
          Filesize

          97KB

          MD5

          d7024f489cd269a415b3611d03126dd2

          SHA1

          0639f6696103ac6fb30a57f2d0486e127be4bb59

          SHA256

          526a7724c58000ae0d9615a2fea0b865d120d9d6ea91b58d7cede1b4d9ce69a4

          SHA512

          543ad5b2c949cb819edaa7aaa216f20a1731adb5859f48c4f9a25b32490082a291ee1e55693930901067b9669cab6b9a1f9e79e59f13a13455b25df32757e786

          Download Submit

        • memory/1164-1124-0x0000000000400000-0x0000000000417000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1164-1116-0x0000000000400000-0x0000000000417000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1628-1121-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/1628-961-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/2668-453-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/2668-958-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/2668-459-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/2668-1118-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/2668-503-0x0000000002810000-0x000000000284B000-memory.dmp

          Filesize

          236KB

          Download

        • memory/2900-717-0x0000000002690000-0x0000000002691000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2900-595-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

          Download

        • memory/2900-504-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

          Download

        • memory/2900-1115-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

          Download

        • memory/2936-465-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

          Download

        • memory/2936-244-0x0000000002610000-0x0000000002611000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2936-245-0x0000000002650000-0x0000000002651000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2936-0-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

          Download

        • memory/2936-96-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

          Download

        • memory/2936-3-0x0000000000330000-0x0000000000331000-memory.dmp

          Filesize

          4KB

          Download